greprules.io
Sign inSubmit rule
Explore/cve-2026-21694-trailing-spread-mass-assignment

CVE-2026-21694: Trailing Spread Mass Assignment

An object spread operator (`...$X`) placed after explicitly defined properties can overwrite those properties. When preceding properties act as access-control or identity boundaries (e.g., `$KEY`), a Mass Assignment vulnerability can occur if the spread object contains user-controlled keys. Attackers can bypass authorization by overriding these IDs. Move the

Provally CuratedPublic repositoryMediumMedium confidenceVerifiedApache-2.0javascript
greprules fetch cve-2026-21694-trailing-spread-mass-assignment --engine opengrep

Description

An object spread operator (`...$X`) placed after explicitly defined properties can overwrite those properties. When preceding properties act as access-control or identity boundaries (e.g., `$KEY`), a Mass Assignment vulnerability can occur if the spread object contains user-controlled keys. Attackers can bypass authorization by overriding these IDs. Move the

Detection target

Not provided

Recommended fix

Not provided

False-positive notes

Not provided

License
Apache-2.0
Source context
Public repository
Source
Provally CVE rule catalog
Validation status
Verified
Trust signals
111 downloads0 direct111 via packs
· 0 stars · Trust score 53How trust works
Included packs
2 packs

Community feedback

Sign in to report false positives, mark this rule useful, or suggest metadata improvements.

Mark usefulReport false positiveSuggest metadata